Tutorial / Cram Notes
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to your virtual machines directly through the Azure Portal. Unlike traditional methods that require public IP addresses for accessing virtual machines in Azure, Bastion provides secure access without the need for public IP addresses on the Azure virtual machines.
Bastion is provisioned inside your Azure Virtual Network (VNet), creating a Bastion host that you can use to access your VMs within that VNet. It acts as a gateway between the Internet and your virtual machines, using Azure Active Directory authentication and SSL encryption to ensure secure sign-in and data transfer.
Key Features of Azure Bastion include:
- Secure RDP and SSH connectivity through the Azure portal using HTML5 based web clients.
- No public IP required on Azure VMs, limiting exposure to the internet.
- Seamless integration with Azure Active Directory and supports Azure Multi-Factor Authentication.
- Protection against brute force and other network attacks through isolation from the public internet.
- Simple and scalable deployment with high availability built-in.
Just-in-Time (JIT) Access is a method to enhance the security of virtual machines in Azure by controlling the inbound traffic. JIT Access reduces the attack surface on your Azure VMs by allowing inbound traffic to specific ports only when needed. It is a feature provided by Azure Security Center (now part of Azure Defender) that helps to manage access to VMs.
With JIT Access, administrators can:
- Define a policy that dictates the approved ports for inbound connections.
- Specify the approved users or groups who can request access.
- Limit access time frames, giving users access to VMs only when needed.
When JIT Access is enabled, Azure Security Center locks down the inbound traffic to the VM by creating Network Security Group (NSG) rules to deny all inbound traffic to the specified ports. Users must request access, and once approved by Security Center, the rules are configured to allow traffic for a limited time window.
Comparing Azure Bastion and JIT Access:
| Feature | Azure Bastion | JIT Access |
|---|---|---|
| Access Method | RDP/SSH access via Azure Portal | RDP/SSH or other protocols |
| Public IP Requirement | No public IP required for VMs | Public IP can be used but managed |
| Inbuilt Authentication | Azure Active Directory support | Uses Azure Security Center |
| Traffic Encryption | SSL encryption | Depends on access protocol used |
| Brute Force Protection | Yes, no public IPs exposed | Yes, through limited access window |
| MFA Support | Yes, Azure MFA | Yes, with Azure MFA |
| Integration with Azure AD | Yes | No direct integration |
| Access Approval | Not required, uses Azure AD sign in | Required for each access request |
| Access Time Window | Continuous until disconnected | Configurable, time-limited access |
| Accessibility | Through Azure Portal only | Direct access to VMs |
For example, a company may use Azure Bastion to provide its developers secure access to their development environment VMs without setting up a VPN connection. Developers simply log in to the Azure Portal, navigate to Azure Bastion, and directly connect to the virtual machines they need to work on, thus simplifying the process and reducing the potential for insecure access configurations.
On the other hand, a company might configure JIT Access to allow their system administrators to log into production servers via RDP for maintenance purposes. Rather than keeping RDP ports open at all times, they would be closed by default, and system administrators would request just-in-time access that opens the necessary ports for a limited period, say, two hours for scheduled maintenance.
Overall, Azure Bastion and JIT Access are part of the defense-in-depth security strategy within Azure, providing different levels of control and access management to ensure secure operations within your cloud environments. While Azure Bastion focuses on providing secure and seamless connectivity, JIT focuses on reducing the attack surface by providing access only when needed, both contributing to a stronger security posture for Azure workloads.
Practice Test with Explanation
True or False: Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to virtual machines directly from the Azure portal.
- True
Answer: True
Explanation: Azure Bastion is indeed a fully managed PaaS service that allows for secure RDP and SSH access to virtual machines directly in the Azure portal without the need for a public IP.
True or False: Just In Time (JIT) access can be configured on Azure VMs to provide unlimited access to selected ports for a specific amount of time.
- False
Answer: False
Explanation: JIT access provides limited access – not unlimited – to selected ports, and only for a set amount of time that you define in the policy.
Azure Bastion requires which of the following to function?
- A. A special client installed on the user’s device
- B. Integration with Azure Active Directory
- C. A public IP address for the target VM
- D. Deployment within its own dedicated subnet
Answer: D
Explanation: Azure Bastion requires no special client on the user’s device, no integration with Azure AD for its basic function, and no public IP address on the target VM – it operates from within a dedicated subnet called AzureBastionSubnet.
Which of the following best describes Just In Time (JIT) VM access in Azure Security Center?
- A. It enables unlimited access to VMs for a predefined time.
- B. It provides immediate, permanent admin access upon request.
- C. It limits access to VMs by opening ports for a defined time window.
- D. It restricts access to VMs completely, regardless of user privileges.
Answer: C
Explanation: JIT VM access helps manage the inbound traffic to Azure VMs, limiting access by controlling the ports and time windows during which ports are open.
True or False: Just In Time (JIT) access uses Azure Active Directory for authentication.
- True
Answer: True
Explanation: Just In Time (JIT) access leverages Azure Active Directory as part of its authentication and authorization process.
True or False: Azure Bastion provisions and operates seamlessly with scalesets for virtual machine deployment.
- True
Answer: True
Explanation: Azure Bastion integrates with virtual machine scale sets and provides connectivity to virtual machines within scale sets with RDP/SSH, without requiring a public IP address for each virtual machine.
To mitigate the risk of brute force attacks on VMs, you should:
- A. Use Azure Bastion
- B. Enable Multi-Factor Authentication
- C. Configure Just In Time (JIT) access
- D. All of the above
Answer: D
Explanation: Using Azure Bastion provides secure RDP/SSH that does not expose VMs to the public internet. Enabling MFA and configuring JIT access both add additional layers of protection by limiting the time and conditions under which access is permitted.
True or False: Azure Bastion provides on-demand access to all Azure resources regardless of their configuration.
- False
Answer: False
Explanation: Azure Bastion provides secure RDP/SSH access primarily to VMs, and the resources need to be configured accordingly to allow connectivity through Bastion.
Which Azure service provides time-bound access to VMs to reduce the attack surface?
- A. Azure AD Identity Protection
- B. Azure Application Gateway
- C. Azure Security Center JIT Access
- D. Azure Firewall
Answer: C
Explanation: Azure Security Center JIT Access is the service that provides a time-bound access feature to virtual machines to reduce the attack surface.
What is a prerequisite for using JIT VM access?
- A. The VMs must have a public IP address.
- B. Azure Defender must be enabled.
- C. The VMs must be part of a virtual network service endpoint.
- D. Network Security Groups (NSGs) must be disabled.
Answer: B
Explanation: JIT VM access requires that Azure Defender is enabled for the associated Azure subscription in order to use the JIT feature.
Interview Questions
What is Azure Bastion?
A Azure Bastion is a fully-managed platform that provides secure and seamless RDP and SSH connectivity to virtual machines directly from the Azure portal.
How does Azure Bastion improve the security of your infrastructure?
A Azure Bastion eliminates the need to expose virtual machines to the public internet, which can help reduce the risk of cyber attacks.
What is Just-In-Time (JIT) Access?
A Just-In-Time (JIT) Access is a feature in Azure that allows you to control access to your virtual machines and other Azure resources.
How does JIT Access help reduce the attack surface of your Azure environment?
A JIT Access helps reduce the attack surface of your Azure environment by minimizing the amount of time that ports are open.
How do you configure JIT Access for your virtual machines?
A You can configure JIT Access for your virtual machines by creating a Just-In-Time policy in Azure Security Center.
What is Azure Security Center?
A Azure Security Center is a unified security management solution that provides advanced threat protection across your hybrid workloads.
What is Azure Firewall?
A Azure Firewall is a cloud-based network security service that provides network and application-level protection for your Azure resources.
What is the Hybrid Azure AD join?
A Hybrid Azure AD join allows on-premises devices to be joined to Azure Active Directory to simplify device management and improve security.
What is the difference between a basic Azure Firewall and a threat intelligence-based Azure Firewall?
A A basic Azure Firewall provides basic network and application-level protection, while a threat intelligence-based Azure Firewall provides additional features, such as URL filtering and threat intelligence feeds.
How can you configure Azure Firewall to block incoming traffic to a specific port?
A You can configure Azure Firewall to block incoming traffic to a specific port by creating a network rule that denies traffic to the port.
Azure Bastion is such a crucial service for securely connecting to VMs. It eliminates the need for a public IP.
Can someone explain how JIT Access works in Azure Security?
Great read, thanks for the information!
I am not sure how much value Azure Bastion adds for smaller environments.
The integration of JIT with Azure AD Privileged Identity Management (PIM) is quite fascinating.
Appreciate the detailed overview on Bastion and JIT access!
Is there any impact on VM performance when using Bastion?
For those managing many VMs, JIT can save a lot of headaches.